Post navigation

Authors, are you ready for GDPR?

Excellent summary post from the Authors Guild about GDPR and the effect for authors selling into the EU.

WHAT IS GDPR?

In 2016, the European Union adopted its new General Data Protection Regulation (GDPR), which will take effect on May 25, 2018. The regulation, which aims to strengthen EU citizens’ rights to protect their personal data, may seem inconsequential to anyone outside the EU. However, it will change the face of data privacy and protection around the world and will require almost immediate action from anyone who gathers any personal information, including email or IP addresses, from EU citizens, regardless of where the collector of the personal information is located. Starting May 25, anyone who collect any such information, including through the use of cookies, will have to obtain explicit permission from EU citizens to use the data and explain in clear, unambiguous language exactly how it will be used. Violations of this regulation can be extremely costly and can incur millions in fines.

HOW DOES GDPR AFFECT AUTHORS?

Due to the globalized nature of business and the internet, anyone who has an online presence is affected. The EU’s broad definition of personal data means that basically any information one holds on EU citizens—such as email addresses, IP addresses, and posts on social networking sites—falls under the new regulation.

While the GDPR imposes a number of requirements that are new to individuals and entities outside the EU, here are the ones likely to apply to authors:

The EU citizen whose personal information is at issue must consent “by a clear affirmative action” to the use of their data, and must have the right to withdraw their consent at any time.

Where the information of a child under the age of 16 is involved, a parent or guardian must give the necessary consent.

The personal data collected must be for explicit (and of course, legitimate) purposes, and must be accurate and kept up to date.

The individual must be able to access their personal data (and to restrict how it is used).

In the event of a data breach, the company (or individual) holding the data must notify the “supervisory authority” (of the EU state whose inhabitants are effected) within 72 hours.

Such data must be erased at the request of the individual (this relates to the European “Right to be Forgotten”).

Many authors who have websites already possess some information about their readers or site visitors. Even if just some of that information relates to EU citizens, you will need to comply with the regulation. Going forward, you should collect only data that you absolutely need and should not share the data with others without prior approval from the individuals in question. It should be noted, however, that the GDPR does require EU member states to reconcile these provisions with “the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.”

In order to comply with the law, anyone with email lists, for example, should start auditing those lists and should reach out to any recipients based in the EU to obtain their explicit consent to use their data; and, if consent is not obtained for any contact, that contact should be deleted. Authors with websites should also make sure that they’ve updated their privacy notice and terms of service pages prior to May 25 to clearly state how you will use any collected data. You can find aprivacy notice checklist here.

If you build your email list by hosting contests, raffles, and giveaways, or you use email marketing as part of your book promotion, you should be sure your subjects are actively opting in to give their consent to be added to your mailing list. Such express consent can be obtained by having users click “Accept” on a privacy notice or other terms of service that clearly spell out how personal data is collected and might be used, or by having the user email you to express their consent; pre-ticked boxes or consent language buried in the terms and conditions will no longer do the trick. And remember, you need to go back to any Europeans already on your email list to have them actively opt in to being on your email list for you to continue emailing them, in case you are asked to provide substantiation of their consent in the future.

The compliance burden most likely will fall largely on the data processors and online platforms who run the online services used by authors, but authors should make sure they are prepared to cooperate with their data processors and that they understand the limitations and requirements placed on themselves by the regulation.

We suggest that authors consult with any data processing platforms that they use for more information. Providers like Mailchimp and Emma have many resources and forms available to help with compliance.